As a reminder, www.infosecdiaries.com is where you'll find a collection of short stories, based on real world information security happenings. It should not be confused with www.infosecdairies.com, which is where you'll find a collection of information security inspired dairy products.
Honestly, I don't understand the confusion, but hopefully this helps.
Good day all! If you have been looking for technical and behavioral artifacts regarding CVE-2023-2868, look no further! Mandiant (now part of Google Cloud) takes a deep-dive into #UNC4841, a Chinese-nexus threat group, activity that shows how the group is growing in maturity and sophistication. There is a lot to learn about TTPs from this article and I hope you enjoy it as much as I did! Happy Hunting everyone!
I am soon starting a new job doing #threathunting, and I feel way out of my comfort zone. They told me I did well on the technical interview, but I was just applying my incident response experience and freestyling it. I feel a bit like threat hunting is peak #blueteam, and it is a bit soon to peak after just a year and a half in the industry, so I have managed to give myself impostor syndrome anxiety. Oh well. If I managed to trick my way this far, I should keep going and see how far it takes me.
Had a blast at Blue Team Con in Chicago this weekend, met lots of folks, listened to lots of talks, and was lucky enough to give one of my own. Thanks to everyone that came, and thanks to @BlueTeamCon for the opportunity. #infosec#blueteam#DFIR
For anyone at @BlueTeamCon who wants to understand why many forms of MFA are not phishing-resistant and why passkeys/FIDO2 are, tomorrow at 12:20pm during lunch in the #unconference room I’ll be delivering an impromptu session on #phishing resistant authentication, including a live demo of #evilginx.
If you are at any stage in your #identity or #infosec career and curious how to start or expand yourself as an identity practitioner, come check out my talk on Track 2 at @BlueTeamCon 2023 today at 12:00pm.
what's the best way to follow #defcon from afar if you don't have a Twitter account. Who to follow on Fediverse. Is there great blogs? Perhaps livestreams on YouTube or twitch?
Follow the Trend Micro researchers as they dissect the Big Head Ransomware variants. What I look for in these types of reports are the behaviors that are uncovered through the analysis and how I can apply these artifacts to a hunt in my environment. For example, one artifact they discovered how the malware was designed to delete the backups on the compromised machine. Recognizing and learning these behaviors is crucial to conducting a successful threat hunt! Enjoy and Happy Hunting!
The next installment of the SentinelOne and #VXUnderground blog series features Millie Nym as they demonstrate their unique reverse engineering techniques as they analyze a sample of ArechClient2. Enjoy and Happy Hunting!
As usual, for this #miniCTF, I am going to leave out a piece of information and it is your job to find it! DM me with the answer or leave a comment!
Hint: Check the links in the article!
Notable MITRE ATT&CK TTPs:
TA0005 - Defense Evasion
T1055.? - Process Injection: [fill in this blank]
T1562 - Impair Defenses: Disable or Modify Tools
T1112 - Modify Registry
TA0009 - Collection
T1005 - Data from Local System
Happy Monday everyone! Rapid7 is the source of this #miniCTF and they highlight the recent activity of the #APT known as Blackmoon, aka KRBanker. Blackmoon is back with a new campaign that is designed to deploy unwanted programs and persistence, or to stay in the victims' environment as long as possible. Enjoy and #HappyHunting!
Link is in the comments!
I mention multiple Mitre TTPs but can you find any I left out? And I MAY have messed up some of the numbers on some of them! Let me know what needs corrected!
Notable MITRE ATT&CK TTPs:
Enterprise Matrix
TA0028 - Persistence
T1547.010 - Boot or Logon Autostart Execution: Port Monitors
T1543.001 - Create or Modify System Process: Windows Service
TA0005 - Defense Evasion
T1055.012 - Process Injection: Process Hollowing
T1562.001 - Impair Defenses: Disable or Modify Tools
#HappyMonday everyone! I am back from a weeklong "vacation" with an article from the SentinelOne blog but the research was conducted by Pol Thill. There was a challenge thrown down by #VXUnderground and SentinelOne looking for research that was conducted but not previously published, which I think is a really interesting concept and needs to happen more often!
Anyways, here is Pol's research on Neo_Net, the Kingpin of Spanish eCrime! Enjoy and Happy Hunting!
Link in the comments!
Notable MITRE ATT&CK TTPs and Behaviors:
Mobile Matrix:
TA0035 - Collection
T1636.004 - Protected User Data: SMS Messages
TA0037 - Command and Control
T1437.001 - Application Layer Protocol: Web Protocols
T1481.003 - Web Service: One-Way Communication
Hey you! Yeah you. You want some promo codes to download some of the InfoSec Diaries Series Audiobooks (https://infosecdiaries.com) for free on Audible? Of course you do! - here you go! Go quick because these can only be used once:
Happy Friday everyone! Travel the world with the Check Point Software Technologies Ltd research team as they report how #CamaroDragon spread uncontrollably. Enjoy and Happy Hunting!
Link in the comments!
Here is your #miniCTF challenge
Beginner: What MITRE ATT&CK relates to the way the malware propagates?
Intermediate: There are at least two means of persistence mentioned in this article. What are they and what are their Technique/sub-technique IDs and titles?
Extra Credit: What log sources and event codes from those log sources will capture either the beginner's or intermediate (or both) challenges activity?
The Blue Team is charged with defending an organization against an array of technical security threats.
The Blue Team Diaries allow the reader to ride along with the Blue Team at Syntatic, a Seattle-based cloud company, who are charged with keeping millions of customer records safe.
Based on the author's real-world experiences, the diaries tell fictionalised versions of responding to actual security incidents. A must-read for anyone interested in computer security or the incident response field.
The #APT known as #Kimsuky strikes again, this time targeting think tanks, academia, and media organizations with a social engineering. The goal? Stealing Google and subscription credentials of a news and analysis service that focuses on North Korea. Enjoy and Happy Hunting!
Link in the comments!
This one is a little different. In this article, SentinelLabs mentioned ReconShark being used. Can you provide me with any TTPs that are associated with that #malware?
My team just released a new MFA bombing testing tool. It can be used in purple & red team modes to execute MFA fatigue/spamming/bombing on #Okta users. After we'll add more IdPs
AFAIK it is the first MFA bombing tool for Okta.